[jira] [Resolved] (KAFKA-19359) [8.8] [CVE-2025-48734] [commons-beanutils] [1.9.4]

[Luke Chen (Jira)]

     [ 
https://issues.apache.org/jira/browse/KAFKA-19359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Luke Chen resolved KAFKA-19359.
-------------------------------
    Fix Version/s: 3.9.2
                   4.0.1
                   4.1.0
       Resolution: Fixed

> [8.8] [CVE-2025-48734] [commons-beanutils] [1.9.4]
> --------------------------------------------------
>
>                 Key: KAFKA-19359
>                 URL: https://issues.apache.org/jira/browse/KAFKA-19359
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 4.0.0
>            Reporter: Surojeet Ghosh
>            Priority: Major
>             Fix For: 3.9.2, 4.0.1, 4.1.0
>
>
> This security defect has been flagged by *aqua container scan.* Description 
> of security defect is given below :-
> *Aqua Description :* Improper Access Control vulnerability in Apache Commons.
> A special BeanIntrospector class was added in version 1.9.2. This can be used 
> to stop attackers from using the declared class property of Java enum objects 
> to get access to the classloader. However this protection was not enabled by 
> default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows 
> declared class level property access by default.
> Releases 1.11.0 and 2.0.0-M2 address a potential security issue when 
> accessing enum properties in an uncontrolled way. If an application using 
> Commons BeanUtils passes property paths from an external source directly to 
> the getProperty() method of PropertyUtilsBean, an attacker can access the 
> enum's class loader via the "declaredClass" property available on all Java 
> "enum" objects. Accessing the enum's "declaredClass" allows remote attackers 
> to access the ClassLoader and execute arbitrary code. The same issue exists 
> with PropertyUtilsBean.getNestedProperty().
> Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector 
> suppresses the "declaredClass" property. Note that this new BeanIntrospector 
> is enabled by default, but you can disable it to regain the old behavior; see 
> section 2.5 of the user's guide and the unit tests.
> This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 
> 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils
> 1.x are recommended to upgrade to version 1.11.0, which fixes the issue.
> Users of the artifact org.apache.commons:commons-beanutils2
> 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
> *My Review*
> I checked this defect is due to commons-validator version 1.9.0 used in kafka 
> v4.0.0.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)